tnorimat
commented
2 weeks ago It can be solved by creating fapi2 client profile which removes holder-of-key-enforcer executor from built-in fapi2 client profile.
Closed tnorimat closed 2 weeks ago
tnorimat
commented
2 weeks ago It can be solved by creating fapi2 client profile which removes holder-of-key-enforcer executor from built-in fapi2 client profile.
Describe the bug
Built-in
fapi-2-security-profileis applied to the target client "client1-dpop-mtls-ES256-ES256-fapi2-security-profile". The profile includesholder-of-key-enforcerand it checks whether a refresh token is a holder-of-key bound token when Keycloak receives a token refresh request with the refresht token regardless of "OAuth 2.0 Mutual TLS Certificate Bound Access Tokens Enabled" client setting is set to "ON" or "OFF".However, according to DPoP specification, a refresh token need not to be a DPoP bound for a confidential client while need to be for a public client. Therefore, the refresh token in DPoP is a Bearer token.
Therefore,
holder-of-key-enforcerneed to be modified to consider the situation (E.g, checking whether a client enabels DPoP or not)Version
keycloak: 26.0.5, conformace-suite: release-v5.1.22
Expected behavior
200 OK
Actual behavior
400 Bad Request {"error":"invalid_grant","error_description":"Client certificate missing, or its thumbprint and one in the refresh token did NOT match"}
How to Reproduce?
Supporting a conformance test whose spacification is as follows: Operation: Manual Conformance Test: FAPI2-SP-ID2 Conformance Suite: release-v5.22 Keycloak: 26.0.5 Test Profile:
Anything else?
No response